[Techtalk] Re: iptables help needed ...

txjulie at austin.rr.com txjulie at austin.rr.com
Fri Dec 20 13:33:55 EST 2002 

Raven Alder wrote:
> 
> Heya --
> 
> Quoth txjulie at austin.rr.com (Thu, Dec 19, 2002 at 10:41:46PM -0600):
> > On Tuesday I tried to switch from ipchains to iptables for a
> > firewall.  Apparently I did something very wrong because last
> > night I got hacked and root-kitted and all sorts of bad things.
> 
>         Any idea of how it happened?  (Root's .bash_history or
> something?  Signatures in the logs?)  Knowing how they got in will
> help prevent it happening again.  A good firewall is a thing of
> beauty, but if the service they exploited is one that's allowed
> through the firewall then you're still in trouble.

It was pretty trick.  It seems they came in via some hole in sshd
and then deposited a =huge= root-kit.  It was hard to figure out
exactly what happened because so many programs were changed.  For
example, "ls" wouldn't show any of the files in the root-kit, or
at least, wouldn't show the more interesting ones.

My guess is that I left access to sshd open to the world.  Very
few other services were enabled, although the previous firewall
was quite effective at keeping everyone out -- except the IBM
proxy server and a friend's box in Florida.  When I switched to
iptables I had to leave a few more things open, and my guess is
that I left entirely too much open.

> > I'd love to send y'all the iptables rules I used, but I had to
> > reinstall this thing -- I didn't want to risk backing up my
> > new files only to include my new rootkit infestation ...
> 
>         Yeah -- levels of appropriate paranoia.  [grins]  Hope you had
> recent backups.

Recent enough -- but /, /usr, /var and friends were too trashed,
and it's faster to re-install and be done with it than dredge up
the backups, which have to be restored from DVD via a machine
in the kitchen.  I've not bothered restoring anything from them
yet as they only contained configuration information which was
recreated during the re-install and the old firewall rules, which
I have to get rid of on account of needing features which are
only present in iptables.  Mostly it was just very embarassing.

> > So ... could y'all be so kind as to help?  Please?  I feel
> > like a dope ;-(
> 
>         Sure.  What is going to be behind the firewall, what did you
> want to let through, and what did you want to keep out?

Things I want to let in are ssh, vnc (ports 5901 through 5910)
from two different machines, and ftp from those same two machines.
I'm not sure what I want to let through just yet -- the old firewall
rules allowed everything out and only pre-existing connections
back in, plus DNS responses from wherever.

What =must= work is ICMP has to be masqueraded.  I use NAT inside
the house on a couple of 192.168.x/24 networks.  What I was trying
to make work is an AT&T VPN gadget which idiotically tries to
ping its destinations before attempting to connect to them.  Which
is =retarded=.  ipchains doesn't handle ICMP properly, so the VPN
was giving it after the pings failed -- even though it could have
opened a TCP connection to them.
-- 
Julianne Frances Haugh             Life is either a daring adventure
txjulie at austin.rr.com                  or nothing at all.
					    -- Helen Keller

More information about the Techtalk mailing list